About the security content of Apple TV 2.1

This document describes the security content of Apple TV 2.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Apple TV 2.1

Apple TV

CVE-ID: CVE-2008-1015

Available for: Apple TV

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

Apple TV

CVE-ID: CVE-2008-1017

Available for: Apple TV

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint's Zero Day Initiative for reporting this issue.

Apple TV

CVE-ID: CVE-2008-1018

Available for: Apple TV

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of 'chan' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

Apple TV

CVE-ID: CVE-2008-1585

Available for: Apple TV

Impact: Playing maliciously crafted QuickTime content may lead to arbitrary code execution

Description: A URL handling issue exists in the handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.

Apple TV

CVE-ID: CVE-2008-0234

Available for: Apple TV

Impact: Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

Apple TV

CVE-ID: CVE-2008-0036

Available for: Apple TV

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.